zgrat | 1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
Size

2.6MB
MD5

622af327a5c66ca6d6d41bf02384b590
SHA1

2e09d3d9017aec9781b77144323eacb06e7838c4
SHA256

1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a
SHA512

6155abf3c3131a7bfd2a7be9f216ee3e65a3492e8d2de256e98db8569a79cdbab3de710e41fa803aab5f96876a3eaf6ec813bb7320bca36c45d8eded34f1ecb9
SSDEEP

49152:IBJgMDRANx3WB2aXuAoVNcqUhwMH9tM+EvhyJWXovJaDiSNESDgKZR8f:yn0VkZ0yF9tMhGwHuV5KZef

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000224f7-10.dat	family_zgrat_v1
behavioral2/memory/4992-12-0x0000000000BA0000-0x0000000000E64000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000224f7-10.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/4992-12-0x0000000000BA0000-0x0000000000E64000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	hyperbrokerhostNetsvc.exe

Executes dropped EXE 2 IoCs

pid	Process
4992	hyperbrokerhostNetsvc.exe
2200	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Client\spoolsv.exe	hyperbrokerhostNetsvc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\spoolsv.exe	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\Microsoft Office\root\Client\f3b6ecef712a24	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\dllhost.exe	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\hyperbrokerhostNetsvc.exe	hyperbrokerhostNetsvc.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\b8bca7ac5230a7	hyperbrokerhostNetsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\conhost.exe	hyperbrokerhostNetsvc.exe
File created	C:\Windows\ShellExperiences\088424020bedd6	hyperbrokerhostNetsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	hyperbrokerhostNetsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3320	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe
4992	hyperbrokerhostNetsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	hyperbrokerhostNetsvc.exe
Token: SeDebugPrivilege	2200	spoolsv.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3608	2828	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	91
PID 2828 wrote to memory of 3608	2828	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	91
PID 2828 wrote to memory of 3608	2828	1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe	91
PID 3608 wrote to memory of 1736	3608	WScript.exe	104
PID 3608 wrote to memory of 1736	3608	WScript.exe	104
PID 3608 wrote to memory of 1736	3608	WScript.exe	104
PID 1736 wrote to memory of 4992	1736	cmd.exe	106
PID 1736 wrote to memory of 4992	1736	cmd.exe	106
PID 4992 wrote to memory of 1660	4992	hyperbrokerhostNetsvc.exe	107
PID 4992 wrote to memory of 1660	4992	hyperbrokerhostNetsvc.exe	107
PID 1660 wrote to memory of 3076	1660	cmd.exe	109
PID 1660 wrote to memory of 3076	1660	cmd.exe	109
PID 1660 wrote to memory of 3320	1660	cmd.exe	110
PID 1660 wrote to memory of 3320	1660	cmd.exe	110
PID 1660 wrote to memory of 2200	1660	cmd.exe	113
PID 1660 wrote to memory of 2200	1660	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe
"C:\Users\Admin\AppData\Local\Temp\1b41fe8ede3b534d1ce19e0d2976fa735e7e2187d17dcbea6c337ed176ad038a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortCommon\rjsrhuSUuh9cpi71VW4.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortCommon\nit1Mf9O4EmsELqVOc064rhxVFPSMSL237.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\PortCommon\hyperbrokerhostNetsvc.exe
      "C:\PortCommon/hyperbrokerhostNetsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZjZ0UfbLvd.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3076
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:3320
      - C:\Program Files\Microsoft Office\root\Client\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\root\Client\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortCommon\hyperbrokerhostNetsvc.exe

Filesize
5.7MB

MD5
23710df1e01cfc3fa04052ba9f873d98

SHA1
d94a2da61571f7bb2f8a699cba385ab043c4b26b

SHA256
aec8ca62dea4bc175b0f8aed5a38fda3e879657b9d1e8dea0cdca274c4d1f3d9

SHA512
946409d67f3d4a5536fc7bc2267a1cc3a5b22334c92b635236282a9c348cc6321910e1052e8d70cc41b67d07bda422a6de01423c82c262061d60b3a3c7fcbf66

Download Submit
C:\PortCommon\nit1Mf9O4EmsELqVOc064rhxVFPSMSL237.bat

Filesize
91B

MD5
9e914413951f28ca613d66a082e6bdf5

SHA1
74c3592959853f6798a62cd735e120412d73445a

SHA256
9d67c2b67e4babb2d62c1318bd530c1706a28c7ae662cdf584dd3da06ba8bb03

SHA512
b2e17288b6a06c3ae138efcdf02b9bfc61f7416e109fe4459b9c39b682eed0a303564be7349e02af15bc2eec2c1ae6c1cb347dd7415de49627fed6bfdf7ae2e3

Download Submit
C:\PortCommon\rjsrhuSUuh9cpi71VW4.vbe

Filesize
223B

MD5
cf90e55a446d37686cb2816d101b5bb7

SHA1
7385714bbdeea11d6a430803f05a59ccd7d7e5d9

SHA256
38b60adc9820b53f1e37c5f17efd047e523a3f1b1c0486e5fd289d58b65bb5c2

SHA512
aa74811a63a82d07faa38512d2fbf119cb4c0a35e10443372ffa153fde1ddcaf2781c9b11e8da9fda8becb138050587adfbc57e43e964df1fe4fb2caf86dc86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZjZ0UfbLvd.bat

Filesize
185B

MD5
ff7f6014e552ba335e00e70fa0eb3df7

SHA1
0cfc22230e792702bcbc7bffe4056cd610765703

SHA256
075444b60e8746d03c58ffafb609e4ab2bfdaa355879876774d2103d2e749c24

SHA512
fef0ad330e01bc02b334b358846553e3d72dfe8ebf1a8fdaa0ae9a98ebb34a18dba16d7172f15484c06df0385c6ad6161456750a087f95b37cf73f22a27338d4

Download Submit
memory/2200-107-0x00007FFD88230000-0x00007FFD88231000-memory.dmp

Filesize
4KB

Download
memory/2200-104-0x00007FFD88250000-0x00007FFD88251000-memory.dmp

Filesize
4KB

Download
memory/2200-118-0x00007FFD881F0000-0x00007FFD881F1000-memory.dmp

Filesize
4KB

Download
memory/2200-116-0x00007FFD88200000-0x00007FFD88201000-memory.dmp

Filesize
4KB

Download
memory/2200-114-0x00007FFD88210000-0x00007FFD88211000-memory.dmp

Filesize
4KB

Download
memory/2200-112-0x00007FFD68020000-0x00007FFD68AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2200-113-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/2200-109-0x00007FFD88220000-0x00007FFD88221000-memory.dmp

Filesize
4KB

Download
memory/2200-122-0x00007FFD881D0000-0x00007FFD881D1000-memory.dmp

Filesize
4KB

Download
memory/2200-102-0x00007FFD88260000-0x00007FFD88261000-memory.dmp

Filesize
4KB

Download
memory/2200-105-0x00007FFD88240000-0x00007FFD88241000-memory.dmp

Filesize
4KB

Download
memory/2200-120-0x00007FFD881E0000-0x00007FFD881E1000-memory.dmp

Filesize
4KB

Download
memory/2200-97-0x00007FFD88280000-0x00007FFD88281000-memory.dmp

Filesize
4KB

Download
memory/2200-128-0x000000001C760000-0x000000001C82D000-memory.dmp

Filesize
820KB

Download
memory/2200-99-0x00007FFD88270000-0x00007FFD88271000-memory.dmp

Filesize
4KB

Download
memory/2200-96-0x00007FFD88290000-0x00007FFD8834E000-memory.dmp

Filesize
760KB

Download
memory/2200-94-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/2200-95-0x00007FFD88290000-0x00007FFD8834E000-memory.dmp

Filesize
760KB

Download
memory/2200-92-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/2200-91-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/2200-90-0x00007FFD68020000-0x00007FFD68AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-30-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/4992-41-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/4992-43-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/4992-45-0x000000001C810000-0x000000001C826000-memory.dmp

Filesize
88KB

Download
memory/4992-46-0x00007FFD88210000-0x00007FFD88211000-memory.dmp

Filesize
4KB

Download
memory/4992-48-0x000000001C830000-0x000000001C842000-memory.dmp

Filesize
72KB

Download
memory/4992-49-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/4992-50-0x00007FFD88290000-0x00007FFD8834E000-memory.dmp

Filesize
760KB

Download
memory/4992-51-0x00007FFD88200000-0x00007FFD88201000-memory.dmp

Filesize
4KB

Download
memory/4992-52-0x000000001CD80000-0x000000001D2A8000-memory.dmp

Filesize
5.2MB

Download
memory/4992-54-0x000000001C770000-0x000000001C77E000-memory.dmp

Filesize
56KB

Download
memory/4992-55-0x00007FFD881F0000-0x00007FFD881F1000-memory.dmp

Filesize
4KB

Download
memory/4992-57-0x000000001C780000-0x000000001C790000-memory.dmp

Filesize
64KB

Download
memory/4992-58-0x00007FFD881E0000-0x00007FFD881E1000-memory.dmp

Filesize
4KB

Download
memory/4992-60-0x000000001C790000-0x000000001C79E000-memory.dmp

Filesize
56KB

Download
memory/4992-62-0x00007FFD881C0000-0x00007FFD881C1000-memory.dmp

Filesize
4KB

Download
memory/4992-61-0x00007FFD881D0000-0x00007FFD881D1000-memory.dmp

Filesize
4KB

Download
memory/4992-64-0x000000001C870000-0x000000001C888000-memory.dmp

Filesize
96KB

Download
memory/4992-66-0x000000001C8E0000-0x000000001C92E000-memory.dmp

Filesize
312KB

Download
memory/4992-67-0x00007FFD881B0000-0x00007FFD881B1000-memory.dmp

Filesize
4KB

Download
memory/4992-83-0x000000001D2B0000-0x000000001D37D000-memory.dmp

Filesize
820KB

Download
memory/4992-84-0x00007FFD88290000-0x00007FFD8834E000-memory.dmp

Filesize
760KB

Download
memory/4992-85-0x00007FFD68020000-0x00007FFD68AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-42-0x00007FFD88220000-0x00007FFD88221000-memory.dmp

Filesize
4KB

Download
memory/4992-39-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/4992-37-0x00007FFD88230000-0x00007FFD88231000-memory.dmp

Filesize
4KB

Download
memory/4992-32-0x00007FFD88250000-0x00007FFD88251000-memory.dmp

Filesize
4KB

Download
memory/4992-34-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/4992-36-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/4992-35-0x00007FFD88240000-0x00007FFD88241000-memory.dmp

Filesize
4KB

Download
memory/4992-31-0x00007FFD68020000-0x00007FFD68AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-28-0x00007FFD88260000-0x00007FFD88261000-memory.dmp

Filesize
4KB

Download
memory/4992-27-0x000000001C750000-0x000000001C768000-memory.dmp

Filesize
96KB

Download
memory/4992-25-0x000000001C7A0000-0x000000001C7F0000-memory.dmp

Filesize
320KB

Download
memory/4992-24-0x00007FFD88270000-0x00007FFD88271000-memory.dmp

Filesize
4KB

Download
memory/4992-23-0x000000001C730000-0x000000001C74C000-memory.dmp

Filesize
112KB

Download
memory/4992-21-0x00007FFD88290000-0x00007FFD8834E000-memory.dmp

Filesize
760KB

Download
memory/4992-20-0x00007FFD88280000-0x00007FFD88281000-memory.dmp

Filesize
4KB

Download
memory/4992-18-0x0000000003040000-0x000000000304E000-memory.dmp

Filesize
56KB

Download
memory/4992-19-0x00007FFD88290000-0x00007FFD8834E000-memory.dmp

Filesize
760KB

Download
memory/4992-16-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/4992-15-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/4992-14-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/4992-13-0x00007FFD68020000-0x00007FFD68AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-12-0x0000000000BA0000-0x0000000000E64000-memory.dmp

Filesize
2.8MB

Download